[Gta04-owner] [Tinkerphones] Towards QtMoko2: building QtMoko from sources

H. Nikolaus Schaller hns at goldelico.com
Sun Jun 4 11:41:19 CEST 2017


Hi Jonas and Roland,

> Am 04.06.2017 um 10:17 schrieb Jonas Smedegaard <jonas at jones.dk>:
> 
> Quoting Roland Häder (2017-06-03 22:12:23)
>> Do not bypass secrurity! Better is to get it properly signed.
> 
> Yes, establishing a trust path (which includes offering signed package
> release files but also other parts) are better than not doing so.

Making signed Relase files is much simpler than I had thought:
(https://wiki.debian.org/SecureApt#How_to_tell_apt_what_to_trust)

	cd /path-to-repo-on-server/dists/wheezy
	gpg -abs --emit-version -o Release.gpg Release
	type pasword...

That is all what seems to be needed on the repo server side.

> Maintained packages are even better - e.g. collectively by Debian.

In the long run yes. At the moment we are still far away from that...
There must be something maintainable first to hand it over to Debian.

>> You should then provide the GPG public key (obviously) on your website
>> so people can use it for verification the apt-key-common way:
>> 
>> gpg --keyserver pgpkeys.mit.edu --recv-key  xxxxxx
>> gpg -a --export xxxxxx | sudo apt-key add -
> 
> Above verifies only that the signing key exist on that public keyserver
> - it does not establish a trust path and is therefore not (on its own)
> trustworthy.

Yes, indeed. It does not seem to be more secure than

	wget http://believe.me/key | sudo apt-key add -

Or disabling gpg checks for the whole repository.

In both situations we simply declare that we trust those who have set
up the instructions.

Still it seems to be better than no check.

> 
> Please read http://deb.jones.dk/ and tell me which parts of that is
> flawed or superfluous or wrong in other ways.

That is a nice blueprint of exactly what I need and how it should be done!

If I get it right (just from reading and guessing what it does) it assumes
that your key is stored in debian-keyring.

And this requires that you are trusted by the maintainers of debian-keyring.

Then you can declare that you are trusted and others can verify before
taking your word only.

But how does your key get into debian-keyring?

> 
> 
>> by xxxxxx is the long key id (don't encourage, short keys, they are
>> flawed as malicous people can theoretical craft a pgp key that has the
>> same (!) short key, like it already happened with Linus Torwalds' key.
> 
> Yes, do that and also a range of other best practices:
> https://help.riseup.net/en/security/message-security/openpgp/best-practices

Interesting to learn about this issue. Most likely I would have done wrongly...

BR and thanks,
Nikolaus

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.goldelico.com/pipermail/gta04-owner/attachments/20170604/609c16c0/attachment-0001.asc>


More information about the Gta04-owner mailing list